news from Google
Paul Ferguson
fergdawgster at gmail.com
Mon Dec 7 01:37:24 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Dec 6, 2009 at 5:30 PM, Danny McPherson <danny at tcb.net> wrote:
>
> I think one of the things that concerns me most with Google
> validating and jumping on the DNS "open resolver" bandwagon
> is that it'll force more folks (ISPs, enterprises and end
> users alike) to leave DNS resolver IP access wide open.
> Malware already commonly changes DNS resolver settings to
> rogue resolvers, and removes otherwise resident malcode from
> the end system to avoid detection by AV and the like.
>
> One of the primary recommendations I give to enterprises is to
> force use of internal resolvers, and log all other attempted
> DNS resolution queries elsewhere, it's a quick way to detect
> some compromised systems. [...]
Indeed -- as this is exactly what we have seen, as discussed in the good
white paper by Antoine Schonewille and Dirk-Jan van Helmond in 2006 (I've
used this paper as a a reference many times), "The Domain Name Service as
an IDS: How DNS can be used for detecting and monitoring badware in a
network":
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFLHFxJq1pz9mNUZTMRAti9AKDYQalIoQ5aHDjsRzU9bz6ulxVLUwCePYbW
v3KSVdE37Uyz/GXhC0dhaA0=
=K0HW
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the NANOG
mailing list